If you get big enough, they will come ….

[unbeliever]

Make sure you boot into Safe Mode, not Safe Mode with Networking or anything like that. If it still won't work, try AntiVir - it will mark files that it can't delete for deletion on next boot.

I booted in safe mode with networking so I could just copy and past the text into cmd. I'll try safe mode or safe mode with cmd when I get home and see if that'll let me delete wzcsvbc.dll

I changed my password on my work computer so hopefully gold farmers haven't had the chance to steal my gold.......farming primal fire isn't fun!

[Cairenn]

Update: ScytheBlade1 has written a batch file to remove all 3 versions of the keylogger. Dolby has verified that this does work. The first post of the thread has the information about it and the download, if you wish to use it.

[unbeliever]

Once you've got it downloaded and extracted, reboot into safe mode and then run RemoveKeylogger (the file that looks like a gear). Reboot once more into "normal" mode and the keylogger should be removed. Please follow the steps in the original post to ensure that it is actually gone before you trust your computer.

At risk of sounding like a noob, what do you mean "Please follow the steps in the original post to ensure that it is actually gone before you trust your computer". What do I need to do on top of running the batch file by ScytheBlade1?

Thanks for your help by the way

[Elkano]

It's sad to see people doing such stuff knowing that there is hardly a way to stop them. :/
But good to see that it's taken care of. As tekkub said on wowace by targeting the addon developers they've made a bad choice...

BTW:Cairenn, will the archives no also be checked per shedule to not contain any executables? Since even if uploding executables or archives containing them is permitted they could still compromize existing ones after upload.

[Zyonin]

Originally Posted by unbeliever At risk of sounding like a noob, what do you mean "Please follow the steps in the original post to ensure that it is actually gone before you trust your computer". What do I need to do on top of running the batch file by ScytheBlade1? Thanks for your help by the way

If you need to remove those files, just run the batch file. The manual instructions are there for those who are comfortable with rooting around in their system and want to make sure they have nuked those files. However for most users who are infected with those files, the batch file will work nicely.

[shazzy]

When I had this keylogger it was over a month ago and I got it from wowinc client installer, so it looks like their exe files were compromised at some point also. It took me a whole day to get rid of this keylogger and the only way I eventually did it was installing kapersky. It found it immediately and the three nasty files. It might be worth getting a month's free trial if you still have trouble after the batch file.

It is very nice to see an addon site actively and openly doing something about it. I knew there was a reason I liked wowinterface a LOT.

[Faette]

Originally Posted by unbeliever I just went home at lunch to try the fix. However it wont let me delete the wzcsvbc.dll file. I booted in safe mode (following all of the instructions in this post), I'm admin and I have permissions to delete system files. But when i try and delete the file using the cmd prompt it says access denied. I navigated to the file and tried to delete and again it won't let me. Can anyone tell me what I'm doing wrong or offer an alternative method?

I had this problem last night .. scared the crap outa me! I did all the instructions posted to the letter and it would not remove the "b" from the wzcsvc.dll file.

In a last ditch effort I went to the http://freeav.com site that Cairenn listed in her original post and it worked.

Go to the site .. download their free software run and it. When it hits on the trojan your computer will beep. Its irritating but keep on going till the scan is done. Then restart your comp, start wow as stated in original post but do not log in then close out of that and go back to the run > regedit. You might see two wzcsvc.dll files now (not sure why but I have two in all caps and one in small caps). I went to both and made sure the "b" was not in there and it wasn't. Crisis contained.

Thanks for hopping on the issue Cairenn and all others. You people are WONDERFUL!!

[Rushster]

Just a heads-up that it will not have been your SSH that was compromised, they use another method. Anyway, I will pass on the details in a mail or PM to Cairenn, this is why it is hard to trace and why it took so long for us at incgamers to not only confirm and infiltration but to find the root of the cause before giving a complete run-down of the situation to the public at large even though the corrupt files were removed right away. It is a nasty business this and the no exe policy was also added to wowui last week, it's just to risky.

[Ursoc777]

I'm wondering if I have to do this, I did download the file, but I did not install it, which seems to me that I am ok, but if I'm not, please let me know.

[Grizzly UK]

Originally Posted by Ursoc777 I'm wondering if I have to do this, I did download the file, but I did not install it, which seems to me that I am ok, but if I'm not, please let me know.

If you haven't done anything with the file you downloaded then you should be fine. You would have to extract and run the corrupted .exe file for the trojan to be installed onto your system. If you're still concerned about this, then you should first look for the corrupted file and/or use one of the already mentioned anti-virus software packages to scan your system.

Meanwhile, I would strongly suggest that you delete the file you downloaded ASAP so as to prevent accidental installation in the future!

[Syxx]

I guess I dodged a bullet. I downloaded SewellUI last night and have no signs of infection.
I was running Avast! but have isntalled AntiVir and done about 40 different virus scans from varies online scanners and mobile scanners I keep on jumpdrives and bootable CDRs for working on other peoples computers and no sign of infection.

Whew!

[Cairenn]

If you downloaded it last night, you downloaded the clean version. That particular mod was quarantined by 2am eastern on December 1st and the entire fs2 file server by 5am.

[Syxx]

Again I'll say Whew! I hope those that are infected get all cleaned up. I know I'm going over a little later today to help a friend clean his system from this nasty trojan.

Thanks to all the admins here for the constant stream up info and updates.

/salute

[FelixTeCat]

This is a sad sad day when my fav site gets hacked I hate how the few idiots in the world force us to not trust anyone and to always be looking over our shoulders. Cairenn and the whole WoWI staff I thank you for your hard work in keeping those safe from these type of intrusions.


I am happy I ATM dont need to worry about these types of things.
"Shameless Mac OS X Plug here"

[Kaomie]

Of course it is while I am traveling that things like this happen...

Scary thing is I installed KaoMod myself on my laptop using the download from WowInt because I did not want to spend time getting the original directly from my desktop at home, but luckily it was a different version (I hope clean)

Anyway since I do not trust ZIP any more or less than executables (should the hackers have been smart and used one of WinZip past or present flaws and a more discreet Trojan/KL, we would still probably not know about it) I will discontinue publishing KaoMod altogether.

As for WowInt there is not much that could have been done I guess. Something along the same line happened even with the official Debian repositories. Only thing you can do is enforce use of hash signatures provided directly by Authors and clearly displayed on the site, like MD5 checksums. But then not anyone can do that, both on Authors and users sides.

Good luck,

[Cairenn]

I'm sorry Kao. Please note that no one has ever accused you of having uploaded something malicious. We know it wasn't you.

I'm sorry to lose you as a contributor on the site. Your mod was liked and used by a lot of people and I'm sure there are going to be a lot of people sorry to see you go.

/wishes none of this had ever happened.

[Tekkub]

Checksums would be a nice idea to help the "in the know" people validate that it's the correct file... but it's not a perfect solution. "The masses" will just download and install, hell I myself have never actually bothered to validate a checksum. And if another intrusion happened, the person could just modify the stored checksum to match the new file... so, honestly, I don't think it would help in any way, sadly. Not unless the checksum were saved somewhere else that they didn't have access to.

I wouldn't abandon your work over this though. Zip may have it's issues too, but, well, you can't just sit at home all day because someone might crash into your car if you drive it. It's obvious they weren't targeting your mod directly, exe was just an easier place to inject.

As I see it the only way WoWI could avoid the zip holes you're worried about would be to repackage every addon that comes in. You submit a zip, the system unpacks it, an admin checks it, then the system makes a fresh zip to serve up to people. That would only protect from submitted virii though, which hasn't been an issue. If someone gained access they could just replace a zip file, and those are all over the site.

In the end, banning executables and locking down security on ssh is all WoWI can do. Don't run away because of the attack, stand up and fight back!

[ScytheBlade1]

Originally Posted by Rushster Just a heads-up that it will not have been your SSH that was compromised, they use another method. Anyway, I will pass on the details in a mail or PM to Cairenn, this is why it is hard to trace and why it took so long for us at incgamers to not only confirm and infiltration but to find the root of the cause before giving a complete run-down of the situation to the public at large even though the corrupt files were removed right away. It is a nasty business this and the no exe policy was also added to wowui last week, it's just to risky.

For what it's worth, Rush, the zip now attached to the first post in the thread will work for your users also. It's the same trojan, downloaded from the same host. Same symptoms, same files, same solution.

[Kaomie]

Originally Posted by Tekkub I wouldn't abandon your work over this though.

I agree that would be silly, but I actually had been considering the distribution for a while and this just happened to be the last straw. I have had too many reports or comments of people complaining about the executable format, and this is just an illustration of the possible issues. ZIP was just an example, any format will have its own flaws, it is more a matter of trusting the source and the distribution chain (for which checksum would help but I agree it is not the ultimate solution either). Anyway no big deal, like Seerah would say it is not like there is not 10 billions compilations available these days. Just one less will not hurt

Originally Posted by Tekkub stand up and fight back!

There is only so much I can put on my gaming time, which is already reduced to a bare minimum, so no, case closed for me

Originally Posted by Cairenn I'm sorry to lose you as a contributor on the site.

I should still be around the forums to be the usual devil's advocate and give people a hard time

[shazzy]

Originally Posted by Syxx I guess I dodged a bullet. I downloaded SewellUI last night and have no signs of infection. I was running Avast! but have isntalled AntiVir and done about 40 different virus scans from varies online scanners and mobile scanners I keep on jumpdrives and bootable CDRs for working on other peoples computers and no sign of infection. Whew!

Yer I was using Avast when I got infected. It just can no longer be relied upon.

I know of one person who has lost his account so far. A friend from Germany and bless he's only 15. He's working with Blizzard at the moment to get it back.